A technical guide on HA deployments and licensing written by our Senior Network Security Engineer.
High Availability
SonicWall has three kinds of High Availability detailed below.
SonicWall High Availability is available on all SonicWall UTM Appliances apart from the Soho and all Wireless units.
Only the Primary SonicWall needs to be configured (in some cases you may need to log in to the Backup appliance and turn off the PortShielding feature).
The Primary SonicWall is the only appliance that needs to have the Security Services licensed.
When the appliances have been registered correctly in the same MySonicWall account they will share the licenses across both appliances.
All settings and licensing are synchronised across both Appliances.
Stateless (Active/Passive)
Stateless High Availability is the most basic kind of HA. When the Active SonicWall appliance fails, the Idle appliance becomes the Active appliance, dropping all active connections and then renegotiating the connections.
Stateful (Active/Passive)
With Stateful High Availability, when the Active SonicWall appliance fails, the Idle appliance becomes the Active appliance caching most of the active connections without the need to renegotiate the connections due to the use of the Virtual MAC feature.
Below is a list of all the connection types that with be synchronised as the Active appliance fails to the Idle unit when it becomes active.
|
Active users |
|
|
ARP |
|
|
SonicPoint status |
|
|
Wireless guest status |
|
|
License information |
|
|
Weighted Load Balancing information |
|
|
RIP and OSPF information |
|
Active/Active DPI (Active/Passive + Active/Active for DPI Services) *
Active / Active DPI works in the same as Stateful HA but with the extra ability to share the Deep Packet Inspection traffic across both appliances. The firewall, NAT, and other modules are processed on the active firewall
The default settings are as below based on Traffic or CPU load of the Primary Appliance, however this can be manually set under the Internal Settings page to change the threshold or to force all the DPI traffic to be offloaded to the Idle Appliance.
SonicWall Appliance Model and Licensing
|
Model |
Clustering |
||||||
|
N/A |
|||||||
|
N/A |
|||||||
|
N/A |
||||||
|
N/A |
||||||
|
NSA 2400 NSa 2650 |
|
N/A |
|||||
|
NSA 3500 NSa 3650 |
|
N/A |
Expanded From 6.2.9 Firmware 01-SSC-7091 |
||||
|
NSA 4500 NSa 4650 |
N/A |
Expanded From 6.2.9 Firmware 01-SSC-4037 |
|||||
|
NSA E5500 NSa 5650 |
01-SSC-4480 |
Expanded 01-SSC-4480 |
|||||
|
NSA E6500 NSa 6650 |
01-SSC-4481 |
Expanded 01-SSC-4481 |
|||||
|
Included |
|||||||
|
Included |
|||||||
|
Included |
|||||||
|
|
|
Capture ATP is not supported for A/A DPI deployments |
|
For High Availability Configurations guides see links below.
Tips for High Availability (HA) setup
How to Replace a Primary or Secondary High Availability (HA) unit
Associating an Appliance at First Registration on MySonicWall for High Availability
* Not to be confused with Active/Active Clustering where in some scenarios both or more appliances have to be fully licensed.
SonicWall HA Clustering
- In HA Clustering both firewalls ('Cluster Nodes') are processing traffic. There are several deployment methods and caveats as stated below.
- A 'Cluster Node' can be either a single Appliance or Two Appliances in Stateful HA or Active/Active DPI.
- There can be a Maximum of up to 4 Cluster Nodes (8 Appliances in total)
- You would choose this method for extra redundancy and throughput.
- This method requires the use of additional network devices for load balancing using VRRP.
- For the Full Mesh option utilising the redundant ports, it is recommended to use different colour cables to avoid confusion.
Licensing Cluster Scenarios
|
|
|
** from Firmware version 6.2.9 firmware the NSA 3600 and 4600 are supported for Active/Active Clustering, The NSA5600 and NSa5650 require the Expanded license for the Active/Active DPI and Clustering options.
Active/Active Two Unit Cluster
The most basic deployment is the Active/Active two‐unit cluster as shown below, where both appliances are fully licensed and processing traffic.
The configuration is managed on the Master Cluster Node (Cluster Node 1). If this fails then all traffic will be processed on the Cluster Node 2. This method involves no Backup appliances in the individual Cluster Nodes so is therefore the Active/Active failover is Stateless so all network connections will be reset and VPN tunnels will be renegotiated.
Active/Active DPI HA Four Unit Cluster
For larger deployments, the cluster can include up to eight firewalls configured as four Cluster Nodes (or HA pairs). Within each Cluster Node, Stateful HA keeps the dynamic state synchronized for seamless failover with zero loss of data or a single point of failure. Stateful HA is not required, but is highly recommended for best performance during failover.Active/Active DPI HA Four Unit Cluster
Feature Caveats
When Active/Active Clustering is enabled, only static IP addresses can be used on the WAN.
The following features are not supported when Active/Active Clustering is enabled:
- DHCP Server
- L3 Transparent Mode
- L2 Bridging / L2 Transparent Mode
- Dynamic DNS
- Wire Mode
The following features are only supported on Virtual Group 1:
- SonicWall GVC
- SonicOS SSL VPN
- IP Helper
For more information on SonicWall Clustering see here:
http://help.sonicwall.com/help/sw/por/6950/26/2/4/content/HA_AAClusteringConfig.htm
Copyright NetThreat Ltd
